0

I'm currently putting together a number of PS scripts which can be run against a new webserver in order to harden it prior to it being placed in production. One of these scripts will launch secedit and import a policy I have defined. My query is surrounding the [Event Audit] section of the policy inf file. It contains options for the various aspects to audit against, for instance:

[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
etc etc

From looking at this it would appear that I have two possible values; 1 or 0. My question is how do I set whether to log the Success, Failure or Success & Failure for each event? Any pointers would be greatly appreciated.

JLPH
  • 71
  • 2
  • 8

2 Answers2

1

I've since played around a bit and found the answer. There are 4 possible values for event audits:

  • 0 = No auditing
  • 1 = Success
  • 2 = Failure
  • 3 = Success, Failure

I hope this one day provides someone with a quick answer!

JLPH
  • 71
  • 2
  • 8
1

The legacy "Event Audit Policy" settings actually have five values (Per MSDN)

  • 0 = None
  • 1 = Success Only
  • 2 = Failure Only
  • 3 = Success and Failure
  • 4 = None

However, if the [Registry Values] section contains this entry;

MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy 4,1

A value of 4,1 means that "Advanced Auditing" is in-use (4=DWORD,1=Enabled), and all of the legacy "Event Audit Policy" settings displayed via SECedit.exe will be set to 0.

The "Advanced Audit Settings" can be queried by running an additional command.

auditpol.exe /backup /file:C:\AuditPolicy.CSV

Signal15
  • 952
  • 7
  • 29